Privacy Policy

Confirm It — Shopify Order Verification App

Effective Date: May 26, 2026  •  Last Updated: May 26, 2026

Contents
  1. 1. Overview
  2. 2. Data We Collect
  3. 3. How We Use Data
  4. 4. Third-Party Services
  5. 5. Data Sharing
  6. 6. Data Retention
  7. 7. Security
  8. 8. Your Rights (GDPR)
  9. 9. Merchant Responsibility
  10. 10. Children's Privacy
  11. 11. Changes to This Policy
  12. 12. Contact Us
This Privacy Policy explains how Codecilia ("we", "us", "our") collects, uses, stores, and protects data when you install and use the Confirm It Shopify application. By installing the app, you agree to the practices described below.

1. Overview

Confirm It is a Shopify embedded application that helps merchants verify customer orders before fulfilment. When a new order is placed on your Shopify store, Confirm It automatically contacts the customer via WhatsApp or an automated voice call (IVR) to confirm the order is genuine. This reduces fake orders, chargebacks, and wasted fulfilment costs.

To provide this service, Confirm It receives order and customer data from Shopify via webhooks, processes that data to compose and send confirmation messages, and stores the outcome in our database.

2. Data We Collect

2.1 Merchant / Shop Data
Data ItemPurpose
Shopify shop domain (e.g. yourshop.myshopify.com)Identify and authenticate your store
Shopify OAuth access tokenMake authorised API calls to your store (update tags, create fulfilments)
Granted OAuth scopesRecord what permissions have been granted
App configuration (WhatsApp credentials, IVR URL, messaging limits)Operate the app according to your settings
Install / uninstall timestampsBilling and audit records
2.2 Customer Data (received via Shopify webhooks)

When your store receives an order, Shopify sends the following order payload to Confirm It. We store this data to enable order confirmation and display it in your dashboard.

Data ItemSource
Customer first name and last nameShopify order webhook payload
Customer phone numberShopify order webhook payload (shipping address or customer record)
Customer email addressShopify order webhook payload
Order number and Shopify order IDShopify order webhook payload
Order line items (product names, quantities, prices)Shopify order webhook payload
Order total, currency, financial statusShopify order webhook payload
Shipping address (city, country)Shopify order webhook payload
Order status URL (customer-facing order tracking link)Shopify order webhook payload
WhatsApp message delivery status and customer repliesWhatsApp API provider webhooks
IVR call outcome (confirmed / cancelled / no answer)Your configured IVR provider

We do not collect payment card numbers, bank account details, passwords, or any government identification numbers.

3. How We Use Data

  • Order confirmation: We use the customer's phone number to send a WhatsApp message or place an automated voice call asking the customer to confirm or cancel their order.
  • Order management: We use the Shopify access token to update order tags (e.g. "CONFIRMED") and create fulfilments on your behalf via the Shopify API.
  • Dashboard display: Order data is displayed in the Confirm It dashboard embedded inside your Shopify admin panel.
  • Rate limiting and billing: We track monthly message counts and costs to enforce the limits you have configured and calculate estimated usage costs.
  • Service improvement: Aggregated, anonymised usage statistics (not individual customer data) may be used to improve the service.

We do not use your data for advertising, profiling, or any purpose beyond operating the Confirm It service.

4. Third-Party Services

Confirm It transmits minimal data to third-party services only as required to deliver order confirmation messages. The specific third-party services used depend on your configuration:

Meta WhatsApp Cloud API (optional)

If you configure your Meta WhatsApp Business account, we transmit the customer's name, phone number, and order details to Meta's Cloud API to send a WhatsApp message.

Meta's privacy policy: facebook.com/policy.php

Green API (optional)

If you configure a Green API instance, we transmit the customer's phone number and order message text to Green API to send a WhatsApp message.

Green API's privacy policy: green-api.com/en/privacy-policy

Your IVR Provider (optional)

If you configure an IVR (automated voice call) endpoint, we transmit the customer's phone number and order reference to the URL you specify. You are responsible for the privacy practices of your chosen IVR provider.

Shopify

All data originates from your Shopify store via the Shopify API and webhooks. Shopify's own privacy policy governs data stored within the Shopify platform.

Shopify privacy policy: shopify.com/legal/privacy

5. Data Sharing

We do not sell, rent, or share your data or your customers' data with any third parties for commercial purposes. Data is only transmitted to third-party services as described in Section 4 above, solely to operate the Confirm It service on your behalf.

6. Data Retention

  • While the app is installed: Order data, customer data, and confirmation logs are retained for the duration of your subscription to enable the dashboard and reporting.
  • After uninstall: When you uninstall Confirm It, Shopify sends us an app/uninstalled webhook. We deactivate your store's access token immediately.
  • After the GDPR 48-hour window: Following a shop/redact GDPR request (which Shopify sends 48 hours after uninstall), all remaining shop data — including all orders, customers, and webhook logs associated with your store — is permanently deleted from our database within 24 hours.
  • Customer data requests: Upon receiving a customers/redact GDPR request, we permanently anonymise the specified customer's personal data (name, phone, email) within 24 hours.

7. Security

  • All communication between your browser, the Confirm It server, and Shopify is encrypted using HTTPS / TLS.
  • All Shopify webhooks are verified using HMAC-SHA256 signatures before processing to prevent spoofed requests.
  • Shopify access tokens are stored in our database and are never exposed in client-side code, logs, or error messages.
  • The Confirm It server is hosted on a dedicated cPanel Linux hosting environment. Access is restricted to authorised administrators only.

Despite these measures, no system is completely immune to security risks. We encourage you to revoke the Confirm It app's access token via your Shopify admin if you believe your store's credentials have been compromised.

8. Your Rights Under GDPR and Applicable Privacy Law

If you or your customers are located in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data protection laws, the following rights apply:

RightWhat it means
AccessRequest a copy of the personal data we hold about you
RectificationRequest correction of inaccurate data
ErasureRequest deletion of your personal data ("right to be forgotten")
RestrictionRequest that we limit how we process your data
PortabilityRequest a machine-readable export of your data
ObjectionObject to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@codecilia.com. We will respond within 30 days.

Merchants are the data controllers for their customers' data within Confirm It. Codecilia acts as a data processor on the merchant's behalf. Merchants are responsible for ensuring they have a lawful basis to share their customers' data with Confirm It (e.g. a clear privacy policy informing customers that orders may be confirmed via WhatsApp or voice call).

9. Merchant Responsibility

By installing Confirm It, you (the merchant) confirm that:

  • You have obtained or will obtain necessary consents from your customers to contact them via WhatsApp or voice call for order verification purposes.
  • You have disclosed in your own store's privacy policy that customer phone numbers may be used for order confirmation via automated messaging.
  • You will comply with all applicable laws regarding electronic communications and automated messaging in your region, including but not limited to GDPR (EU), PDPA (Pakistan), and telecommunications regulations.
  • You are responsible for the content of messages sent through any WhatsApp or IVR credentials that you configure in the app settings.

10. Children's Privacy

Confirm It is a business-to-business (B2B) application intended solely for use by Shopify merchants and their adult customers. We do not knowingly collect personal data from children under 13. If you believe a child's data has been submitted to our service, please contact us immediately at privacy@codecilia.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify merchants via their registered email address or a notice within the app. Your continued use of Confirm It after any changes constitutes acceptance of the updated policy.

12. Contact Us

General Enquiries

admin@codecilia.com

Privacy / Data Requests

privacy@codecilia.com

Company

Codecilia
codecilia.com

Support

Visit Support Centre